From 775d50828ef090339ae57d93da55f46676f4bf58 Mon Sep 17 00:00:00 2001 From: Martin Roth Date: Tue, 23 Jun 2015 21:47:19 -0600 Subject: Intel Firmware Descriptor: Add Lock ME Kconfig question Add the Kconfig question to allow the user to lock the ME section using ifdtool. Change-Id: I46018c3bc9df3e309aa3083d693cbebf00e18062 Signed-off-by: Martin Roth Reviewed-on: http://review.coreboot.org/10648 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer --- src/southbridge/intel/common/firmware/Kconfig | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src/southbridge') diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig index 8ad1fede41..2767c0e316 100644 --- a/src/southbridge/intel/common/firmware/Kconfig +++ b/src/southbridge/intel/common/firmware/Kconfig @@ -92,4 +92,18 @@ config IFD_PLATFORM_SECTION string default "" +config LOCK_MANAGEMENT_ENGINE + bool "Lock ME/TXE section" + depends on HAVE_ME_BIN + default n + help + The Intel Firmware Descriptor supports preventing write accesses + from the host to the ME or TXE section in the firmware + descriptor. If the section is locked, it can only be overwritten + with an external SPI flash programmer. You will want this if you + want to increase security of your ROM image once you are sure + that the ME/TXE firmware is no longer going to change. + + If unsure, say N. + endif #INTEL_FIRMWARE -- cgit v1.2.3